https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/creating-ci-build-and-run-policies-for-container-image-labels/m-p/588245#M1229 <P>We have been deploying custom build and run policies via Checkov (targeting Terraform resources, i.e.: VMs). We do this via the Governance pane in the Prisma Cloud "Cloud Security" component. These policies check usage of tags. Cool.<BR /><BR /></P> <P>Now we're trying to create an equivalent set of policies for Container Images Labels. Specifically,&nbsp;we want to create guardrails and alerting around the usage of container images labels.</P> <P>&nbsp;</P> <P>Anyone have an idea on how to create custom policies for this with Prisma Cloud?&nbsp;(either from CSPM/governance or the CWP/runtime compliance checks, the documentation and examples is not loads extensive and support seems to be missing at times).</P> <P>&nbsp;</P> <P>Thoughts?</P> <P><LI-PRODUCT title="Prisma Cloud" id="Prisma_Cloud"></LI-PRODUCT>&nbsp;</P> Wed, 29 May 2024 10:17:19 GMT patriciar 2024-05-29T10:17:19Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/creating-ci-build-and-run-policies-for-container-image-labels/m-p/588245#M1229 <P>We have been deploying custom build and run policies via Checkov (targeting Terraform resources, i.e.: VMs). We do this via the Governance pane in the Prisma Cloud "Cloud Security" component. These policies check usage of tags. Cool.<BR /><BR /></P> <P>Now we're trying to create an equivalent set of policies for Container Images Labels. Specifically,&nbsp;we want to create guardrails and alerting around the usage of container images labels.</P> <P>&nbsp;</P> <P>Anyone have an idea on how to create custom policies for this with Prisma Cloud?&nbsp;(either from CSPM/governance or the CWP/runtime compliance checks, the documentation and examples is not loads extensive and support seems to be missing at times).</P> <P>&nbsp;</P> <P>Thoughts?</P> <P><LI-PRODUCT title="Prisma Cloud" id="Prisma_Cloud"></LI-PRODUCT>&nbsp;</P> Wed, 29 May 2024 10:17:19 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/creating-ci-build-and-run-policies-for-container-image-labels/m-p/588245#M1229 patriciar 2024-05-29T10:17:19Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/creating-ci-build-and-run-policies-for-container-image-labels/m-p/617835#M1357 <P>Hi Patriciar,</P> <P>&nbsp;</P> <P>If you would like to check for existence of labels in a Dockerfile at build time you can write a simple custom check, for example to check for org and purpose labels:</P> <LI-CODE lang="markup">metadata: id: "MyLabelCheck" name: "Ensure org and purpose labels are present" category: "APPLICATION_SECURITY" definition: and: - cond_type: attribute resource_types: - LABEL attribute: value operator: contains value: "purpose=" - cond_type: attribute resource_types: - LABEL attribute: value operator: contains value: "org="</LI-CODE> <P>That will check against the LABEL directive in Dockerfile, for example</P> <LI-CODE lang="markup">FROM node:alpine LABEL org=Accounting purpose=Appserver RUN useradd -m appuser USER appuser WORKDIR /usr/src/app ..etc..</LI-CODE> <P>Then you can tell checkov to load the additional check from the directory where you placed the yaml file</P> <LI-CODE lang="markup">checkov [other paramereters] --framework dockerfile --external-checks-dir my_yaml_checks_dir/ --check MyLabelCheck </LI-CODE> <P>&nbsp;</P> <P>Hope this helps</P> Thu, 14 Nov 2024 20:28:15 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/creating-ci-build-and-run-policies-for-container-image-labels/m-p/617835#M1357 JNeytchev 2024-11-14T20:28:15Z